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(54) Method and apparatus for controlling software access to system resources 

(57) Methods, systems, and software for installing 
and operating selected software applications on a client 
computer that is in convnunication with a server compu- 
ter on a computer network are descrit}ed. In one aspect 
of the present invention, a method for controlling the 
degree of access to operating system resources for a 
software program running on a computer that is running 
said operating system is provided. The degree of 
access to the operating system resources is defined tor 
the software program, and at least one file Including 
instructions for executing the software program is 
loaded on the computer from the sender computer. The 
file is examined to determine the degree of system*level 
access available to the software program when the soft- 
ware program is being executed by the computer. The 
software program is executed, and a program instruc- 
tion associated with the software program is intercepted 
when the software is being executed on the computer. A 
determination is then nude to determine if the program 
instruction includes an operation that is outside of a 
degree of system-level access that is available to the 
software program, and if It Is determined that the soft- 
ware program has permission to access system-level 
resources associated with the computer that are witNn 
the degree of system-level access available to the soft- 
ware, the program instruction is executed. 
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DoscripUon 

BACKGROUND OF THE INVENTION 

1. Field of Invention 

The present invention relates generally to methods 
and apparatus for controlling the access to computer 
resources by software running on a computer. More 
specifically, the present invention relates to methods 
and apparatus for controlling the access to system 
resources on a client computer by software download&j 
to the client computer from a server computer. 

2. Background 

Prior to the rise of the personal conrtputer. computer 
users were limited to operating software that ran on 
large, mainframe computers using terminals that typi- 
cally included a keyboard for entering data and com- 
mands and a video display device (or printer) tor 
viewing output. Although mainframes provided very 
powerful computing plattorms. they suffer^ from seri- 
ous drawbacks. In particular, mainframes were expen- 
sive to install and operate and they require all users to 
be connected directly to the mainframe through a ternr^- 
nal. which limited access to the mainframe for many 
people. In ^ition, users had very limited control over 
their computing environments, usually having to axbpi 
their work styles and problems to suit the software and 
administration of the mainframe computer. 

Beginning in the late 1970*s personal computers 
began to overtake mainframes as the dominant comput- 
ing platform tor both personal, business, and so otitic 
uses. For single users, personal computers often could 
provUe the same computing speed as the older main- 
frames that had to accommodate many processing jobs 
simultaneously. In addition, software that ran on the per- 
sonal computers became more "user-friendly." thereby 
allowing computer users to adapt both the computer 
and the software to suit their particular computation 
needs. The release from requiring a connection from a 
terminal to a mainframe allowed personal computers to 
be located just about anywhere within an organization 
or at home. This capability further assured the domi- 
nance of the personal computer over the mainframe as 
computing power could be located at sites where it was 
needed. No longer did users have to tailor their opera- 
tions around large, expensive, finicky mainframe com- 
puting centers. 

As the computing power and data storage capaci- 
ties of personal computers exploded throughout the 
1980s, the dominance of the personal computer 
seemed to be assured. As the 19808 drew to a close, 
however, a new phenomenon began to emerge which 
appears likely to overtake the personal conputer revo- 
lution of the past two decades. Today, ever increasing 
numbo's of personal computers are linked to each ottier 



through high spe^ data networks. The most popular 
network cun-entiy is the "Internet." which is the network 
comprising various business, academic, and personal 
computer sites across the globe. The popularity of the 

5 Interne!, and. more particularly, that aspect of the Inter- 
net referred to as the "World Wide Web." has prompted 
many organizations to form internal conputer networks, 
which are often referred to as Intranets." This interest in 
network conrputing has been sparked by a combination 

10 of high spe^ data networks and increasingly sophisti- 
cated network servers, routers and other devices which 
allow many independent personal computers to com- 
municate efficientiy. 

The attractiveness of the World Wide Web stems in 

IS part from its highly visual character, the same factor that 
played a large role in the rise of the personal computer 
and its dominance over the mainframe. Typically, the 
World Wide Web is organized into various "web sites" 
which typically comprise a server that transmits data to 

20 a client computer running a t>rowser." The browser is 
software that provides a user with a window and various 
controls through which data from the server can be 
viewed and navigated. A particularly useful feature of 
Worki Wide Web data is its ability to be linked through 

25 hypertext commands such that users can quickly navi- 
gate from one document to another artd even from one 
web site to another through very simple intuitive com- 
mands such as tiie activation of a mouse button. Using 
tiie WorM Wide Web. users can view and/or download 

30 text, graphics and hear sounds from sites all over ttie 
globe. In additim users can also download new soft- 
ware, or software capable of modifying programs 
already installed on the client computers. 

These same features available to users of the 

35 WorM Wide W$b on ttie Internet can also be provide to 
users of a tocal network ttirough an "intranet", a non- 
pi^lic computer network that includes clients and serv- 
ers arranged analogously to ttie Internet. This capability 
has received increasing attention from many organize- 

40 tions as information useful to employees canying out 
their assignments can be distribute quickly ttiroughout 
ttie network to personal computers within the organiza- 
tion. In particular, many organizations are utilizing 
intranets to provide access to databases and custom 

4$ software programs for individuals in ttie organization 
using such intranets. For example custom software 
applets aeated using the Java^ programming lan- 
guage (available commerdally from Sun Microsystems 
of Palo Alto. California), can be operated in conjunction 

50 witti software and data already installed on ttie remote 
computer which is either external or internal to ttie 
intranet to provide users access to data and software 
specific to ttieir job tasks wittiout ttie difficulties associ- 
ated with disseminating and maintaining many copies of 

55 special-purpose software as has been done tradition- 
ally 

It is often desirable tor software distributed ttirough 
a secure intranet to have full access to the system 
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resources of the diem computer: whereas software dis- 
tribute over less secure networks ext&'nal to the 
intranet system generally are allowed little or no access 
to system resources, such as fBe moving capabilities, as 
such software cannot always be trusts. For example, 5 
some software applications include functions that install 
computer viruses on the host computer. Other software 
application may copy, alter, or delete critical data fron 
the host computer and even forward that data to another 
computer system surreptitiously. Unfortunately, there is to 
no viable method or apparatus to ^ab!e trusted soft- 
ware to access certain resources while restricting other 
software from accessing the same resource. Users are 
therefore left with a trade-off between enabling all soft- 
ware (trust&j or suspect) access all system resources rs 
or limiting the access of all software in an effort to pre- 
serve the security of the client system 

Thus, it would be of great benefit to computer users, 
and especially computer users within organizations in 
which multiple computer users are connected through a 20 
computer network, to provide methods and systems for 
controlling resource access for both information and 
software over the network so that the above-described 
problems associated with highly decentralize compu- 
ter networks can be mitigated. As will be described here 25 
and below, the present inventton meets these and other 

SUMMARY OF THE INVENTION 

30 

The present invention addresses the above- 
described difficulties in managing software distribution 
across networked computers by providing, in one 
aspect, a method, system, and software for controlling 
the access to server resources by selected software as 
applications on a first conputer acting as a client com- 
puter that is in communication with a second computer 
acting as a server computer on a computer network. 

In one aspect of the present invention, a method for 
controlling the degree of access to operating system 40 
resources for a software program running on a compu- 
ter. The degree of access to the operating systm 
resources is defined for the software program, and at 
least one file including instructions for executing the 
software program is loaded on the computer. The file is 45 
examined to determine the degree of system-level 
access available to the software program when the soft- 
ware program is being executed by the computer. The 
software program is executed, and a program instruc- 
tion requesting access to secure resources associated so 
with the software program is intercepted when the soft- 
ware is being executed on the computer. A determina- 
tion is then made to determine if the program instruction 
includes an operation that is outside of a degree of sys- 
tem-level access that is available to the software pro- 55 
gram, and If it is determined that the software program 
has permission to access system-level resources asso- 
ciated witti the computer that are within the degree of 



system-level access available to the software, the pro- 
gram instruction is execute. 

In another aspect of the present invention, a 
method tor controlling ttie degree of access to system 
resources for a software program running on a dient 
computer that is running the operating system, where at 
least some of the operating system resources reside on 
a server computer that is couple with the client compu- 
ter, is provide. The degree of access to the operating 
system resources for the software program is define, 
and at least one file including instructions for executing 
the software program on the client computer is loade. 
The file is examine to determine the degree of system- 
level access available to the software program when ttie 
software program is being execute by the dient com- 
puter. The software program is execute on the dient 
computer, and a program instruction associate with the 
software program is intercepte when the software pro- 
gram is being execute on the client computer. A deter- 
mination is nuide regarding whettier the program 
instruction inciees an operation that is outside the 
degree of system-level access available to the software 
program, and when it Is determine that the software 
program has permission to access system-level 
resources that are within the degree of system-level 
access available to the software program, the program 
instruction is executed. These, and other aspects and 
advantages of the present invention, will become appar- 
ent when the Description below is read in conjunction 
with the accompanying Drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention, together with further advantages 
thereof, may best be understoe by reference to the fol- 
lowing description taken in conjunction with the accom- 
panying drawings in which: 

Rg. la is a diagrammatic representation of a wide 
area computer network in which both users and 
intranets are couple t>y a computer network 
through the Internet. 

Hg. 1b is a diagrammatic representation of a con- 
ventional intranet system. 
Fig. 2a is a diagrammatic representation of a collec- 
tion of dass files in accordance with an embei- 
ment of ttie pres&it invention. 
Rg. 2b is a diagrammatic representation of an 
archive file data format in accordance with an 
embeiment of the pres&it Invention. 
Rg. 3a is a diagrammatic representation of a dient- 
side directory structure in accordance with an 
emtxxJiment of the present invention. 
Rg. 3b Is a cfiagrammatic representation of the 
structure of a client-side configuration file in accord- 
ance with an embeiment of ttie present invention. 
Rg. 3c is a diagrammatic repr^entation of the 
structure of a dient-side access file in accordance 
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with an embodiment of the present Invention. 
Rg. 3d is a diagrammatic representation of the 
structure of a client-side group specification file in 
accordance with an embodiment of the present 
invention. 

Fig. 4 is a process flow diagram which illustrates a 
method of executing a request to access a resource 
in accordance with an embodiment of the present 
invention. 

Rg. S is a process flow diagram which illustrates the 
steps associated with validating dass files in 
accordance with an embodiment of the present 
invention. 

Rg. 6 is a process flow diagram which illustrates the 
steps associated with executing an applet in 
accordance with an embodiment of the present 
invention. 

Fig. 7 Is a process flow diagram which illustrates the 
steps associated with calling a security manager in 
accordance with an embodiment of the present 
invention. 

Rg. 8 is a diagrammatic representation of a compu- 
ter system in accordance with the present inven- 
tion. 

DETAILED DESCRIPTION OF THE DRAWINGS 

Certain embodiments of a method and apparatus 
for controlling the access by applets to system 
resources will be described below making refer&ice to 
the accompanying drawings. 

An illustration of one network in accordance with 
the present invention is provided in Rg. la. Included in 
the network illustrated in Fig. 1a are intranets 102 and 
104 and an individual external computer shown at 106. 
The structure of intranets 102 and 104 is described in 
greater detail below with respect to Fig. lb. Both the 
intranets and the user are connected to the computer 
network through a variety of computer gateways 
(-Q/VT). In some embodiments, the computer network 
includes the Internet Refemng to Rg. la more ^>ecifi- 
cally. intranet 102 is coupled with intranet 104 and user 
106 through the Internet which is shown genially at 
108. The connection between intranet 102 and the 
Intemet 108 is provided first through a gateway 1 10 
which is coupled with intranet 102 and a 'bacWxjne," or 
high capacity dateline 112. Data from a high ca|»city 
line 112 is routed through gateway 114 through the 
Intemet 108 which data passes through a second gate- 
way 1 16 and into high capacity dateline shown at 118. 
As will be appreciated by those of skill in the computer 
network arts, dateline 1 18 can be the same as dateline 
112. or may repres^t a strata backbone to which 
various other indivicfcjals. or users, and networks are 
coupled. 

Data that travels from intranet 102 through the 
Internet 108 and over high speed dateline 1 18 passes 
through gateway 120 to intranet 104 or through gateway 



124 to user 106. Thus, according to the illustrated 
embodiment data can be passed among user 106, 
intranet 104. and intranet 102. In particular, the data 
may travel through the Intemet 108 as just described, or 

5 may pass across backt>one 118 between user 106 arKl 
intranet 104. In some en^>odiments. intranet 104 and 
intranet 102 can be couple directly through network 
configurations known to those of skill in the art as 
"extranels". Extranets are network arrang&nents in 

10 which a given network or individual is couple with a 
remote network through a d^icated data conn^on. 
This connection may include data that is routed through 
the Intemet as illustrated in Rg. la. or may be a direct 
data feed, such as through an ISDN or T-1 dateline. Var- 

15 ious configurations in addition to methods and materials 
for establishing such configuratk>ns will be apparent to 
those of skill in the computer network and telecommuni- 
cations arts. 

One embodiment of an intranet, such as illustrated 

20 in Fig. la at 102 or 104, is provided In Rg. 1b at SO. A 
typical intranet 50 includes a server 60 which is couple 
with clients 62 and 64. In addition, server 60 can be cou- 
pled to other di^ computers such as shown at 70. 72, 
and 74 through a router, hub or similar data transfer 

25 device such as shown at node SB, In addition, remote 
clients (not shown) can be connected to server 60 either 
through a direct line or through the use of telephone 
lines using, e.g.. a modem or similar device. In some 
cases, access to intranet 50 will be controlled to a high 

30 degree by a lirewair configuration which is illustrated 
by the box 75. The establishment of communications 
from users external to the firewall, such as remote client 
78, can be achieved by traversing a gateway which 
allows access to the protects server. Such a gateway 

35 is illustrated at 76. 

Typically, a server provides data and software that 
is accessible to the various clients which are in commu- 
nication with the server, either directly or through a 
device such as a router. The construction, maintenance, 

40 and operation of the server, router, and various client 
machines will be well known to those of skill in the art. 
In some particular embodiments, server 60 will be con- 
figured to provtie data that is compatible with browser 
software such as that used to view data on the Workj 

45 Wide Web. Specifically, the data provided by s^ver 60 
will be in the form of pages of data that can be examined 
using typical browser software. In one en^xxfiment the 
server and clients are configured to exchange not only 
data but computer software in the form of "applets." 

50 such as those written in the Java^ programming lan- 
guage available from Sun Microsystems of Pak) Alto. 
California. "Applets" as used herein are software pro- 
grams that are configured to be passed from a source 
computer, typically a server, to a client machine and run 

55 in conjunction with software already installed on the cli- 
ent. In one embodiment, the software with which the 
applet runs is the above-describ^ browser software. 
Typically, applets provide additional functionalities to 
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browser software by performing various computational 
tasks which the browser software itself is not configure 
to perform. Thus, users who download applets can pro- 
vide the browser software with additional functionalities 
that are not othen^nse availatile to the browser software. 5 
Such additional capabilities can include, e.^.. custom 
interfaces to a database. . 

In general, a client, as for example client 62. calls 
into server 60 using a user agent, or a browser. User 
agents include, but are not limited to. HoUava^'^ . availa- 10 
ble from Sun Microsystems. Incorporated of Palo Alto. 
California, and Netscape, available from Netscape 
Communications Corporation of Mountain View. Califor- 
nia. In one embodiment, the user agents generally 
includes a processing engine which executes the applet is 
code, and a security manager used in the determination 
of whether an applet has access to certain system 
resources. Examples of such a security manager are 
provided herein below. 

According to one embodiment a server, locate 20 
either on the Internet or within an intranet, provides 
class libraries which contain class files that define an 
applet. One example of such a class library is a Java"" 
class library. Sp^ifically. a server can contain the class 
files that make up the applet, and the particular Web 2S 
pages including HTML code that references the applet. 

According to one embodiment of the present inven- 
tion, applets are instantiate from class files that are 
downloaded from a source computer, or a server, to a 
client machine. The dass files may be grouped together 30 
into an archive file. Further, an archive file can be digit- 
ally signed, or othenftHse marked, such that the origin of 
an applet crated from the archive file can be reliably 
deterntined. The signature of an archive file can then be 
verified in order to determine which system resources 3S 
are accessible to the machine on which the applet is 
executing. The use of signatures enables the access to 
system resources of the client machine by the applet to 
be controlled, e.g. . by reference to the security status of 
the server from where the applet originated. By way of 40 
example, an applet executing on one client may have 
different access privileges than the same applet execut- 
ing on a second client by virtue of the fact that the per- 
missions associate with the applet on each client may 
be different. This resource access control therefore ^a« 4S 
bles applets assodated with secure machines, eg., 
machines in the same intranet as the machine which 
contains the resources, to have more access to 
resources than applets associate with unsecure 
machines, e.g. . machines on the Internet. so 

Fig. 2a is a diagrammatic representation of a collec- 
tion of dass files in accordance with an emtxxiiment of 
the pres^ invention. The format of the cdlection of 
dass data files, which is generally used on a server, is 
not arrange to accept signatures. That is. each dass ss 
file typically d^ines a dass residing on a server. The 
format is such ttat the cdlection indees any number of 
classes, as for example class "V 202. class 204. 



and class "N** 206. A dass may be ddine as a software 
construct that defines data and methes, or sequences 
of statements that operate on the data, which are spe- 
cific to any applets that are sut)S6quentty oonstructe 
from that class. In other words, as previously state, an 
applet may be oonstructe by instantiating a previously 
define dass. It shoukJ be apprraate that a single 
dass may be use to construct many applets. 

The executfon of an applet usually entails r^uests. 
or commaes. to access system resources. While an 
applet may contain instructions to access many different 
system resources, due to security concerns, an applet 
is either allowe access to all of the specrfie system 
resources or access to none of the spedfie system 
resources under present design restraints. As dis- 
cusse above, this "all-or-nothing" approach to system 
resource access is often ueesirable in that an applet 
running within an intranet system, for example, is 
Iruste." e.g., of Irown origin, while an equivalent 
applet running externally to the intranet system is con- 
sidere to be unsecure. As the applet running within the 
intranet system ae the ^uivalent applet running exter- 
nally are typically given the same access privileges to 
system resources, in order to maintain the security of 
the intranet system, the applets are geneally given no 
access privileges. 

The ability to selectivdy contrd applets from 
accessing resources enables a user within an Intranet 
system to restrict access to resources on an ieividual 
af^let basis. Incieing a "signature." or an identifier, 
with dass files that are use to instantiate an applet is 
one methe which serves to &\BtAe an intranet organi- 
zation to selectively control applets. Signing, or mark- 
ing, dass files such that it is possible to determine 
where the dass files originate enables an Intranet sys- 
tem to deternv'ne the appropriate access privileges 
associate with an applet instantiate from the dass 
files. In addition, signing dass files further enat)l6S a 
determination to be made regarding wheth^ a dass file 
has been tampere with. An archive file structure which 
permits a group of dass files to be digitally signe will 
be describe below with reject to Fig. 2b. 

By providing an archive file which can be digitally 
eigne, it becomes possible to enak^e an applet, either 
internal ae external to an intranet system, that is oon- 
structe from the dass files assodate with the archive 
file to access selecte system resources within the 
intranet system. Checking the digital signature of the 
archive file makes it poss3)le to determine whether a 
given applet has been tampere with, and which com- 
puters have eigne the applet. As such, access privi- 
leges may be allocate base upon whether the applet 
originate from a secure, or truste. host or from an 
unsecure host. In aeition, in some embodiments, the 
allocation of access privileges enables users to decide 
which hosts are to be truste and which are not to be 
truste. 

Rg. 2b is a diagrammatic representatton of an 
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archive file data format in accordance with an embodi- 
ment of the present invention. In the descrb^ embodi- 
ment, the archive format is a Java^ archive (JAR) 
format Archive, or archive file, 210 includes a header 
signature 212 which is the signature that is typically 5 
used by a user agent to verify the validity of archive 210 
and to detemnine the levels of access available to 
archive 210. tn general, header signature 212 is a dgital 
signature which may be a part of a general header that 
contains other information which information includes. 10 
kxit is not limited to, information corre^rding to the 
size of the archive. Archive 210 has any number of 
associated classes, as for example dass "r 202. class 
'*2'* 204, and class "N" 206. from which applets and 
associated objects are instantiate. 75 

Additionally, archive 210 may have associated data 
blocks, as tor example data block 214. Data bkx:k 214 
may contain images, text, or any arbitrary data that is 
conside'ed to be a part of archive 210. In one embodi- 
ment, data block 214 tr^y contain a text string that 20 
desaibes classes 202. 204. and 206 that are associ- 
ated with archive 210. It should be appreciated that in 
other embodiments, archive 210 may not include a data 
block. 

Referring next to Fig. 3a. an embodiment of a di- 25 
ent-side directory structure will be descrlb&j in accord- 
ance with the present invention. A user who nnkes a 
request to access a resource through a client generally 
interfaces with a user directory 302. User directory 302 
has an assodated browser directory 304 which con- 30 
tains information relating to a browser, or a user agent. 
The browser may be any suitable browser, as tor exam- 
ple the HoUava^ browser as mentioned above. 
Browser directory 304 indudes a properties file 306 that 
is appropriate to the request made by the user. Proper- 3S 
ties file 306 typically includes user preference items 308 
which are generally browser specifications that are pro- 
vided by the user. These specifications may indude. but 
are not limited to. data relating to browser set-up and 
behavioral prop^ies associated with the browser. 40 

Properties fOe 306 furthe* indudes intormation that 
is relevant to the particular request made by the user. 
By way of example, such information can include an 
images data block 310. a configuration file name 312. 
and a group pacification file name 31 4. In one embod* 45 
iment. images data block 310 includes data file names. 
i.e., strings, which identify any images ttiat are assod- 
ated with the request. A configuration file name 312 is a 
string ttiat identifies a configuration file which is used to 
facilitate the mapping of a requested resource to asso- so 
dated security descriptors. One example of a configura- 
tion file will be described below witti reference to Rg. 3b. 
Group specification ("spec! file name 314 is a string 
which identifies a group specification file, as will be 
described below wrtti respect to Rg. 3c. 55 

Fig. 3b is a diagrammatic r^resentation of the 
structure of a configuration file in accordance with an 
embodiment of the present invention. Configuratfon file 



350 is an example of a configuration file identifi&l by 
configuration file name 312 as mention^ above witti 
respect to Rg. 3a. Configuration file 350 indudes a 
taUe 352 which assodates resources 354 on a sender, 
Le. , a server which ttie dient wishes to access, with cor- 
resporviing access file names 356. That is. table 352 
assodates an entry in the resources 'column' 354 wHh 
a corr^ponding entry in the access file names "col- 
umn" 356. Resources 354 are generally classifiers 
which identify various system resources, as for example 
fBes, hosts, and socket numbers. Access f ile names 356 
identify corresponding access files which contain secu- 
rity descriptors and other infbrmation that is relevant to 
ttie control of access to system resources with which 
access files are assodated. The structure of an access 
fie will be descrfoed in more detail t>elow with reference 
to Rg. 3c. It shoutd be appreciated that due to the fact 
that more than one resource 354 may share the same 
security descriptor, access file names 356 and. there- 
fore, access files, may be associate with more than 
one resource 354. 

Referring next to Rg. 3c, the structure of an access 
file will be describe in accordance with an ^Tit)odiment 
of the present invention. Access file 360 generally 
includes a table 361 which assodates prindpals 362 
witti permissions 364. Principals 362 nr^y be individual 
hosts or groups of hosts. By way of exanple. "javacom" 
may be an indivklual host, i.e., a server, which is a prin- 
dpal 362. Alternatively, 'java.com" and 'sun.com' may 
form a principal 362 that is a group. In some embcxli- 
ments. prindpals 362 can also be the signers of partic- 
ular archives. Permissions 364 provide groupings of 
security descriptors. That is, permissions 364 are 
groupings of security descriptors which designate the 
resources ttiat prindpals 362. witti which permissions 
364 are assodated. have access. 

Rg. 3d is a diagrammatic r^resentafion of a group 
specification ('spec') file format in accordance with an 
embodiment of the preserrt invention. As mentioned 
above, ttie group specification file name 314 of Rg. 3a 
identifies a group specification file, as for example group 
^ecification file 370. Group specification file 370 
includes a table 371 ttiat assodates group names 372 
with any number of m&nbers 374. Grot^ names 372 
are essentially identifiers ttiat may be us^ to identify a 
groig) of member 374. By way of example, a group 
name, as for example group '1' 372a, may be assod- 
ated with any number of members, as for exanr^ie 
member "1" 374a and member "2" 374b. It shouW be 
appredatoJ ttiat a member, as for example member '1 ' 
374a. may be associate with more ttian one group 
name 372. 

Rg. 4 is a process flow diagram which illustrates a 
mettiod of executing a request to access a resource in 
accordance with an embodiment of ttie present inven- 
tion. The process begins at 402 and in a step 404, a call 
is made from a requesting client, e.g., dient 74 of Rg. 
lb. to a senrer. eg., server 60 of Rg. lb. to initiate ttie 
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downlosKj of eittier at least one dass file, as describe 
above with respect to Rg. 2a. or an archive fBe. as 
desaib^ above with reject to Rg. 2b. The request is 
received on the server in response to a client call made 
through a user agent, /le. a browser, as for example a 
HotJava^ browser or a Netscape Navigator browser as 
previously mentioned. The initiation of the downloading 
of either at least one class file or an arrive file occurs 
in r^ponse to a request to access a resource and. 
hence, is a call to execute an applet In one prefenred 
embodiment, the archive file is a JAR file. 

In a step 406. either the archive file is loaded or the 
class files are loaded from the sender into memory asso* 
dated with the r^uesting dient. In general, class files 
are loaded if the classes are not in an archive file, e.g., 
not digitally signed, and an archive file Is loaded if the 
classes are digitally sign^. It should be appr^ated 
that the archive file has assodat^ dass files. As such, 
loading the archive file invohres loading dass files. After 
the class files are loaded into memory, a validation proc- 
ess is performed on the loaded files in a st^ 408. The 
validation process, which indudes the process of verify- 
ing whether the header signature assodat^ with a 
loaded archive file is valid, in the event that an archive 
file has been loaded, will be described below with refer- 
ence to Fig. 5. 

After the validation process, in a st^ 410. the class 
files are converted into an applet. That is. an applet is 
crated in memory by instantiating the load^ dass 
files, which may or may not be a pari of a JAR file. Once 
the applet is aeated. the applet file is executed in a step 
412. The steps associated with the execution of an 
applet will be describe below with respect to Rg. 6. 

Fig. 5 is a process flow diagram which illustrates the 
steps associated with validating dass files, i.e., step 
408 of Fig. 4. in accordance with an embodiment of the 
pr^ent invention. The process begins at st^ 502. and 
in a step 504. a determination is made regarding 
whether an archive file or a class file has been loaded. 
If a class file has been loaded, then process flow pro- 
cess to a step 506 in which a standard dass verifica- 
tion is performed. A standard dass verification typically 
includes a check of all load&j dass files and. therefore, 
classes, in order to ascertain whether anything in the 
class files may compromise security. In some embodi- 
ments, a check is made to determine if the security of a 
virtual machine, as for example a Java^ virtual 
machine, can be compromise. Standard dass verifica- 
tion methods are generally well known to those of ordi- 
nary skill in the art. Once the standard dass verification 
is perfbrmed, the process of validating the dass files is 
completed at 520. 

If the determination in step 504 is that an archive 
file has been loaded, then in a step 508. the header of 
the archive file is validated, or authenticate. The vali- 
dation of the archive file generally involves an identifica- 
tion of the origin of the archive file based upon the 
header signature. That is, a check is made to establish 



the origin of the header signature and. therefore, the 
archive fBe. The validation may also include a check of 
whether data associated with the archive file is intact It 
should be appreciated that in some embodiments, an 

5 archive file may not include a header signature. By way 
of example, an archive file within an intranet may not be 
signed. In a step 510, a determination is made as to 
whether the header is valkl. If the header is not valid, 
e.g., the content of the archive does not correspond 

10 with the signature, then in a step 514, an error flag or 
the like is raise. In one embodiment, the error flag may 
result in an exertion being thrown. In another &nbodi- 
ment tiie error flag may result in a message being 
returne to the requesting dient. After the en^or flag is 

15 raise, the process of vacating class files ends at 520. 
If the heeer is foue to be vaTtd in step 510. proc- 
ess flow moves from stjBp 51 0 to a step 512 which is the 
determination of whether any dasses associate with 
the archive file renrmin to be valklate. If there is a dass 

20 to be validate, then in a step 51 6. a staeard class ver- 
ification is performe. As previously describe in step 
506, a standard class verification indudes a check of 
whether anything in a giv&i dass may conpromise the 
security of a virtual machine. By way of example, the 

25 security of a virtual machine may be compromise if 
something in a given dass can ovenAfrite files or mem- 
ory on the virtual machine. Alter the standard class ver- 
ification is conrplete on the given dass. process 
control returns to st^ 512 in which a determination is 

30 made regarding whether there are any more dasses 
which are to be valkSate. Process control loops 
between steps 512 and 516 until a determination is 
mee in st^ 51 2 tiiat no more dasses remain to be val- 
idate, at which point the process of validating dass 

35 files is complete at 520. 

Rg. 6 is a process flow diagram which illustrates ttie 
steps associate with executing an applet in accord- 
ance with an emtx^diment of the present invention. That 
is. step 412 of Fig. 4 will be describe. The process 

40 begins at 602. ae. in a step 604, a determination is 
made as to whether the applet contains an instruction to 
execute an operation. The operation may generally be a 
call to access a system-level resource. If the applet 
does not contain an instruction to execute an operation. 

45 then the process of executing the applet ees at 616. If 
the applet does contain an instruction to execute an 
operation, then process flow procees to a step 606 in 
which it is determine whether the operation to be exe- 
cute is a protecte. e.g.. secure, operation. That is. a 

50 determinatk>n is made regarding whether the operation 
is an operation to which access is controlie. If it is 
determine that the q^eration is not protecte, then the 
operation is execute in a step 608. and process flow 
returns to step 604. which is the determination of 

55 whether there is an instruction to execute another oper- 
ation. 

If it is determine in st^ 606 that the operation in 
the instruction to execute is protecte. then process f tow 
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moves to a step 610 in which the applet security man- 
ager is called. The process of calling the security man- 
ager will be describoj in more detail below with 
reference to Fig. 7. The applet security manager typi- 
cally controls the operations which are accessiUe to 
given applets, in one embodiment, the applet security 
nianager is a Java™ c^let security manager. In a step 
612. it is detenroned whether the operation is allowed. 
In other words, step 612 is the determination of whether 
the applet has access to the operation which is to be 
executed. If the operation is allowed, then the operation 
is executed in step 608. From step 608. process control 
returns to step 604 which is the determination of 
whether there is an instruction to execute another oper- 
ation. 

If the determination in step 612 is that the operation 
is not allows, then an ^ror condition occurs, which can 
be implemented by having an exception is thrown in 
step 614, and the process of executing the applet ends 
at 616. It should be appreciated that in some embodi- 
ments, the step of throwing an exception may involve 
calling a throw function. In other embodiments, the st^ 
of throwing an exception may involve transmitting an 
error message which may be displayed by a user agent 
that is associated with the requesting client. In still other 
embodiments, the &ror handling may cause an interac- 
tion with the user to occur in the form of asking whether 
the user BSsprwBS the performance of the operation by 
the applet. In such ^bodiments. access files can pos- 
sibly be updated to permanently record the re^nse 
provided by the user. 

Referring next to Fig. 7. the process of calling a 
security manager, /.e.. step 610 of Fig. 6. will be 
desaibed. It should be appreciated that a user agent 
generally has only one associated security manager. 
The process of calling a security manage begins at 702 
and in a st^ 704. the operation which is being called by 
the a^let Is identified. Although the operation may be 
any one of a nunter of operations, the operation is gen- 
erally a read operation or a write operation. From step 
704. process flow proceeds to a step 706 in which the 
name of the resource associated with the operation is 
identified. In some embodiments, the name of the 
resource is passed into the call to the security manager 
and. hence, is readily identified. However, when the 
name of the resource is not passed into the call, the 
properties file, as previously described with reject to 
Rg. 3a. may be us^ to identify the associated 
resource. 

Once the associate r^urce is identified in step 
706. tiie name of the access file which con'esponds to 
the resource is identified using the configuration file, 
which was described earlier with r^ect to Rg. 3b. that 
is associated with the applet. Pemiissions correspond- 
ing to ttie applet are then obtain^ from the access file 
in a st^ 710. It should be appreciated that in some 
embodiments, the appropriate access file may be a rep- 
resentation of the actual access file in memory. The 



access file, as described above with respect to Rg. 3c. 
assodates individual hosts or groups with a set of per- 
missions. After the permissions are obtained, the call to 
the security manager is completed at 712. 

5 Rg. 8 illustrates a typical computer system in 
accordance with the present invention. The computer 
system 830 includes any number of processors 832 
(also refen-ed to as central processing units, or CPUs) 
tttat is couple to menrory devices inducfing primary 

10 storage devices 834 (typically a read only mennory. or 
ROM) and primary storage device 836 (typically a ran- 
dom access memory, or RAM). As is well known in the 
art. ROM 834 acts to transfer data and instructions uni- 
directionally to the CPU and RAM 836 is used typically 

75 to transfer data and instructions in a bi-directional man- 
ner. Both primary storage devices 834. 836 may include 
any suitable computer-readable media as descrbed 
above. A mass memory device 838 is also coupled bi- 
directionally to CPU 832 and provides additional data 

20 storage capacity. The mass memory device 838 may be 
us^ to store programs, data and the lite and is typically 
a secondary storage m^ium such as a hard disk that is 
slower than primary storage devices 834. 836. Mass 
menfK}ry storage device 838 may take the form of a 

25 magnetic or paper tape reader or some ottier well- 
known device. It will be appreciated that the information 
retained within the mass memory device 838. may. in 
appropriate cases, be incorporated in standard fashion 
as part of RAM 836 as virtual memory. A ^ecif ic mass 

30 storage device such as a CD-ROM 834 nriay also pass 
data uni-<firectionally to the CPU. 

CPU 832 is also cot4)l^ to one or more input/out- 
put devices 840 that may indude. but are not limited to, 
devices such as video nrtonitors. track balls, mice, key- 

35 beards, microphones, touch-sensitive displays, trans- 
ducer card readers, magnetic or paper tape readers, 
tablets, styluses, voice or handwriting recognizers, or 
ottier wtil-known input devices such as. of course, other 
computers. Finally. CPU 832 optionally may be coupled 

40 to a computer or tdecommunications network, e.^. . an 
Internet network or an intranet network, using a network 
connection as shown generally at 812. With such a net- 
work connection, it is contemplated that the CPU might 
receive information from the networi^ or might output 

45 information to ttie network In the course of performing 
the above-described method st^s. The above- 
described devices and materials will be familiar to thc^e 
of skill in the computer hardware and software arts. Fur- 
ther, it shouM be appredated by those skilled in the art 

so that the atx)ve desaibed hardware and software de- 
ments, as well as networking devices, are of standard 
design and construction. 

The computer-implemented methods described 
herein can be implemented using techniques and appa- 

55 ratus that are well-known in the computer science arts 
tor executing computer program instructions on compu- 
ter systems. As used herein, the term "computer sys- 
tem' is defined to include a processing device (such as 
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a central processing unit. CPU) for processing data and 
instructions that is coupled with one or more data stor- 
age devices tor exchanging data and instructior^ with 
the processing unit, indudtng. but not limited to, RAM, 
ROM, CD-ROM. hard disks, and the like. The data stor- 5 
age devices can be dedicated, Le. , coupled directly with 
the processing unit, or remote, /.e.. coupled with the 
processing unit over a computer network. It should be 
appreciated that remote data storage devices coi^led 
to a processing unit over a computer network can be to 
capable of sending program instructions to a processing 
unit tor execution on a particular workstation. In addi- 
tton, the processing device can be coupled with one or 
more additional processing devices, either through the 
same physical structure (e^.. a parallel processor), or 75 
over a computer network (e.g.. a distributed proces- 
sor.). The use of such remotely couple data storage 
devices and processors will be familiar to those of skill in 
the computer science arts (see, e.g., RaJston 1993). 
The term "conputer network" as used herein is define 20 
to include a set of communications channels intercon- 
necting a set of computer systems ttiat can communi- 
cate with each other. The communications channels 
can include transmission m^ia such as. but not limited 
to, twisted pair wires, craxial cable, optical fibers, satel- 25 
lite links, or digital microwave radio. The computer sys- 
tems can be distributed over large, or "wide." areas 
(e.g., over tens, hunc^^s. or thousands of miles. 
WAN), or local area networks {e.g. , over several feet to 
hundreds of feet. LAN). Furthermore, various local-area 30 
and wide-area networks can be contined to form 
aggregate networks of computer systems. One example 
of such a confederation of computer networks is the 
"Internet". 

Although only a few embodiments of ttie present 3S 
invention have been described, it shouU be understood 
that the present invention may be embodied in many 
other specific forms without darting from ttie ^irit or 
the scope of the present invention. By way of example, 
although only one configuration of an archive file data <J0 
structure which may be signed has been described, it 
should be appreciated that the archive file data struc- 
ture may be widely varied witiiin the scope of the 
present invention. Further, steps involved with a method 
of executing a request to access system resources may 4S 
be reordered. Steps may also be removed or added 
without departing from the spirit or the scope of the 
present invention. Therefore the described embodi- 
ments should be taken as illustrative and not restrictive, 
and ttie invention shouto be defined by the following so 
claims and their full scope of equivalents. 

Claims 

1. A method for controlling the degree of access to ss 
operating system resources for a software pro-am 
running on a conrputer which computer is running 
said operating system, ttie method comprising ttie 
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steps of: 

(a) ddining said degree of access to said oper- 
ating system resources for said software pro- 
gram; 

(b) examining at least one file associated witti 
said software program to determine the d^ree 
of system-level access available to saM soft- 
ware program when saed software program is 
being executed by said computer; 

(c) executing saM software program on said 
computer; 

(d) intercepting a program instruction associ- 
ated witti said software program when said 
software program is being executed on said 
computer; 

(e) determining if said program instruction 
includes an operation that is outsMe said 
degree of system-level access availat^e to said 
software program; and 

(f) executing said program instruction when it is 
determined ttiat saM software program has 
permission to access system-level resources 
associated with sakJ computer that are wittiin 
ttie degree of systenvlevel access available to 
said software program. 

2. A mettiod as recited in claim 1 wherein saM step of 
determining if said program instruction includes an 
(deration that is outside said degree of system- 
level access available to said software program 
comprises validating an kientifier associated witti 
said software program. 

3. A method as recited in any one of the preceding 
claims wherein said step of executing said program 
insti'uction conprises determining if sakJ system- 
level resources being accessed by said program 
instruction are protected system-level resources. 

4. A method as recited in any one of the preceding 
daims wherein saki software program comprises 
an applet. 

5. A mettiod as recite in claim 4 wherein said applet 
is a Java applet. 

6. A method as recited in one of claims 4 and 5 
wherein said applet is associated with a header, 
said header being arranged to include an identifier, 
said identifier being anang^ to identify said an ori- 
gin of sato file. 

7. A method as recited in daim 6 further induding the 
step of valUating sakJ identifier to determine if said 
computer has permission to access said system- 
level resources. 
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8. A method as recited in one of daims 4-7 wherein 
said contputer is a client comrputer arrd said applet 
is downloaded to said dient computer from a server 
computer. 

9. A method as recited in daim 8 wherein: 

(a) said step of examining indudes determining 
the degree of system-level access to said 
server that is available to said applet when said 
applet is being executed by said cli^ conpu- 
ter as defined by said defining a degree of 
access to said system-level resources associ- 
ate with said server conputer for said applet: 

(b) said step of determining indudes determin- 
ing if said program instruction to access sys- 
tem-level resources associated with said 
server computer includes an operation that is 
outside said degree of system-level access 
available to said applet: and 

(c) said step of executing indudes executing 
said program instruction to access system- 
level resources assodated with said server 
computer when it is detennined that said applet 
has permission to access system-level 
resources assodated with said server compu- 
ter that are within the degree of system-level 
access available to said applet 

10. A method for controlling the degree of access to 
operating system resources for a software program 
running on a dient computer which client conputer 
is running said operating system, wherein at least 
some of said operating system resources reside on 
a server computer that is coupled with said client 
computer through a computer networK the method 
comprising the steps of: 

(a) defining said degree of access to said oper- 
ating system resources for said software pro- 
gram: 

(b) loading at least one file induding instruc- 
tions for executing said software program on 
said client computer: 

(c) examining said at least one file to determine 
the degree of system-level access available to 
said software program when said software pro- 
gram is being executed by said client computer 
as defined by said step of defining said degree 
of access: 

(d) executing said software program on said di- 
ent computer: 

(e) intercepting a program instruction associ- 
ate with said software program when said 
software program is being executed on said di- 
ent computer: 

(f) determining if said program instruction 
includes an operation that is outside said 



degree of systenvlevel access available to said 
software program: and 

(g) executing said program instruction when it 
is determined that said software program fms 
5 permission to access system-level resources 

ttiat are within the degree of system-level 
access available to said software program. 

11. A method as recited in daim 10 wherein said step 
10 of determining if said program instruction indudes 

an operation that is outside said degree of system- 
level access available to said software program 
comprises validating an identifier associated with 
said software program. 

IS 

12. A method as redted in one of claims 10 and 11 
wherein said step of executing said program 
instruction conprises determining if said system- 
level resources being accessed by said program 

20 instruction are protected system-level resources. 

13. A method as redted in one of daim 10-12 further 
induding the steps of: 

25 establishing a data transfer communication link 

between said dient computer and said s^er 
computer across said computer network: and 
transmitting said at least one file from said 
server computer to said dient conputer acr(»8 

30 said computer network. 

14. A method for processing a request from a client to 
access a system resource associated with a first 
server, the mettiod comprising the steps of: 

35 

(a) catling a second server to initiate a down- 
load of files that are relevant to said request; 

(b) loading said relevant files from said second 
server, said relevant files including an archive 

^ file, said archive file induding at least one dass 

file and a header, said header including an 
identifier arrange to indicate the origin of said 
archive file; 

(c) validating said archive file; 

45 (d) converting said class file into an applet: and 

(e) executing sakJ applet, said applet induding 
at least one instruction, wherein executing said 
applet enables sakj client to access said sys- 
tem resource associate with said first server. 

so 

15. A methe for processing a request as rrate in 
daim 14 wherein said step of validating sakJ archive 
file inciees ttie sub-st^ of: 

55 (a) authenticating said heeer; 

(b) determining whether said heeer is valid; 

ae 

(c) performing a class verification on said dass 
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when it is determined that said header is valid. 

1 6. A method for processing a request as recited in one 
of daims 14 and 15 wherein said step of executing 
said applet includes the sut>-steps of: s 

(a) determining whether said instruction is an 
instruction to execute a protected operation; 

(b) executing said operation when it is deter- 
mined that said instruction is not an instruction io 
to execute a protected operation; and 

(c) determining whether said operation is 
allowed when it is determined that said instruc- 
tion Is an instruction to execute a protected 
operation. 15 

17. A computer system tor controlling the degree of 
access to operating system resources comprising: 

a first computer coupled with at least one mem- 20 
ory device which holds therein at least one file 
including instructions for executing a software 
program, said software program running on 
said first computer, said first computer running 
said operating system, said first computer 25 
being configured to: 

(a) define said degree of access to said 
operating system resources for said soft- 
ware program and said first computer 30 
being configured determine if a program 
instruction associated with said software; 

(b) load said at least one file including 
Instructions for executing said software 
program on said first computer; 35 

(c) examine said at least one file to deter- 
mine the degree of system-level access 
available to said software program when 
said software program is t>eing executed 

by said first computer; 4o 

(d) execute said software program on said 
first computer: 

(e) intercept a program instruction associ- 
ated with said software program when said 
software program is being executed on 4s 
said first computer: 

(f) determine if said program instruction 
includes an operation that is outside said 
degree of system-level access available to 
said software program; and so 

(g) execute said program instruction when 
it Is determined that said software program 
has permission to access system-level 
resources associated with said first com- 
puter that are within the degree of system- 55 
level access available to said software pro- 
gram. 



18. A computer system according to daim 17 wherein 
said first computer is arranged to determine if said 
systenfhievel resources being accessed by said 
program instruction are protected system-level 
resources. 

19. A computer-readable medium comprising conrpu- 
ter-readable program code devices configured to 
cause a computer to perform the actions of: 

(a) defining said degree of access to said oper- 
ating system resources for said software pro- 
gram; 

(b) examining at least one file associated with 
said software program to determine the degree 
of system-level access available to said soft- 
ware program when said software program Is 
being executed by said computer: 

(c) executing said software program on said 
computer; 

(d) intercepting a program instruction assod- 
ated with said software program when said 
software program is being executed on said 
computer: 

(e) determining if said program instruction 
indudes an operation that is outside said 
degree of system-level access available to said 
software program; and 

(f) executing said program instruction when it is 
determined that said software program has 
permission to access system-level resources 
assodated with said computer that are within 
the degree of system-level access available to 
said software program. 
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